11 年之前 · 48483e9aa1
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeys.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeys.java
@@ -202,5 +202,8 @@ public class CommonConfigurationKeys extends CommonConfigurationKeysPublic {
 
				 
			
 
				   public static final long HADOOP_SECURITY_UID_NAME_CACHE_TIMEOUT_DEFAULT =
			
 
				     4*60*60; // 4 hours
			
 
				+  
			
 
				+  public static final String  IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_KEY = "ipc.client.fallback-to-simple-auth-allowed";
			
 
				+  public static final boolean IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_DEFAULT = false;
			
 
				 
			
 
				 }
			
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java
@@ -108,6 +108,8 @@ public class Client {
 
				   private int refCount = 1;
			
 
				 
			
 
				   private final int connectionTimeout;
			
 
				+
			
 
				+  private final boolean fallbackAllowed;
			
 
				   
			
 
				   final static int PING_CALL_ID = -1;
			
 
				   
			
@@ -452,7 +454,8 @@ public class Client {
 
				     private synchronized boolean setupSaslConnection(final InputStream in2, 
			
 
				         final OutputStream out2) 
			
 
				         throws IOException {
			
 
				-      saslRpcClient = new SaslRpcClient(authMethod, token, serverPrincipal);
			
 
				+      saslRpcClient = new SaslRpcClient(authMethod, token, serverPrincipal,
			
 
				+          fallbackAllowed);
			
 
				       return saslRpcClient.saslConnect(in2, out2);
			
 
				     }
			
 
				 
			
@@ -1045,6 +1048,8 @@ public class Client {
 
				     this.socketFactory = factory;
			
 
				     this.connectionTimeout = conf.getInt(CommonConfigurationKeys.IPC_CLIENT_CONNECT_TIMEOUT_KEY,
			
 
				         CommonConfigurationKeys.IPC_CLIENT_CONNECT_TIMEOUT_DEFAULT);
			
 
				+    this.fallbackAllowed = conf.getBoolean(CommonConfigurationKeys.IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_KEY,
			
 
				+        CommonConfigurationKeys.IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_DEFAULT);
			
 
				   }
			
 
				 
			
 
				   /**
			
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java
@@ -59,6 +59,7 @@ public class SaslRpcClient {
 
				   public static final Log LOG = LogFactory.getLog(SaslRpcClient.class);
			
 
				 
			
 
				   private final SaslClient saslClient;
			
 
				+  private final boolean fallbackAllowed;
			
 
				 
			
 
				   /**
			
 
				    * Create a SaslRpcClient for an authentication method
			
@@ -69,8 +70,10 @@ public class SaslRpcClient {
 
				    *          token to use if needed by the authentication method
			
 
				    */
			
 
				   public SaslRpcClient(AuthMethod method,
			
 
				-      Token<? extends TokenIdentifier> token, String serverPrincipal)
			
 
				+      Token<? extends TokenIdentifier> token, String serverPrincipal,
			
 
				+      boolean fallbackAllowed)
			
 
				       throws IOException {
			
 
				+    this.fallbackAllowed = fallbackAllowed;
			
 
				     String saslUser = null;
			
 
				     String saslProtocol = null;
			
 
				     String saslServerName = null;
			
@@ -155,6 +158,11 @@ public class SaslRpcClient {
 
				         readStatus(inStream);
			
 
				         int len = inStream.readInt();
			
 
				         if (len == SaslRpcServer.SWITCH_TO_SIMPLE_AUTH) {
			
 
				+          if (!fallbackAllowed) {
			
 
				+            throw new IOException("Server asks us to fall back to SIMPLE " +
			
 
				+                "auth, but this client is configured to only allow secure " +
			
 
				+                "connections.");
			
 
				+          }
			
 
				           if (LOG.isDebugEnabled())
			
 
				             LOG.debug("Server asks us to fall back to simple auth.");
			
 
				           saslClient.dispose();
			
--- a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
+++ b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
@@ -1208,4 +1208,17 @@
 
				   </description>
			
 
				 </property>
			
 
				 
			
 
				+<property>
			
 
				+  <name>ipc.client.fallback-to-simple-auth-allowed</name>
			
 
				+  <value>false</value>
			
 
				+  <description>
			
 
				+    When a client is configured to attempt a secure connection, but attempts to
			
 
				+    connect to an insecure server, that server may instruct the client to
			
 
				+    switch to SASL SIMPLE (unsecure) authentication. This setting controls
			
 
				+    whether or not the client will accept this instruction from the server.
			
 
				+    When false (the default), the client will not allow the fallback to SIMPLE
			
 
				+    authentication, and will abort the connection.
			
 
				+  </description>
			
 
				+</property>
			
 
				+
			
 
				 </configuration>
			
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestSaslRPC.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestSaslRPC.java
@@ -727,6 +727,9 @@ public class TestSaslRPC {
 
				     final Configuration clientConf = new Configuration(conf);
			
 
				     SecurityUtil.setAuthenticationMethod(clientAuth, clientConf);
			
 
				     UserGroupInformation.setConfiguration(clientConf);
			
 
				+    clientConf.setBoolean(
			
 
				+        CommonConfigurationKeys.IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_KEY,
			
 
				+        true);
			
 
				     
			
 
				     final UserGroupInformation clientUgi =
			
 
				         UserGroupInformation.createRemoteUser(currentUser + "-CLIENT");